Active Directory Integration with Office 365: Complete Federation

Welcome back! In the first article of this series we began integrating and installing local Active Directory with Office 365. Verifying local account UPN suffixes was covered as well as downloading and installing Microsoft Active Directory Federation Services 2.0 (AD FS 2.0 for short). It’s time to complete federation and get everything ready for Single Sign-On.

Before putting the cart before the horse, it’s important to verify that some prep work has been completed. First, an SSL Certificate for the domain to be federated is bound to the default website of the server running AD FS 2.0. It’s great if you have an internal certificate authority, but if not I strongly recommend investing in an SSL cert from a commercial authority. They’re relatively cheap, and most importantly they’re easy to get up and going. Note: It’s also necessary to make sure the domain to be federated is added and verified within the Office 365 Admin Center. If either of these tasks is not completed then the instructions in this article will fail miserably.

Click Download next to the 64-bit version of the software (msoidcli_64bit.msi).

Select Run.

Click the checkbox to accept the license terms then click Install.

Click Finish.

Download and install the Windows Azure Active Directory Module for Windows PowerShell to the computer running Microsoft Active Directory Federation Services 2.0. This tool leverages the power of PowerShell to complete some of the necessary administration tasks.

Select the 64-bit version of the Windows Azure Active Directory Module for Windows PowerShell, then click Download.

Select Run.

Click Next.

Click the radio button to Accept the License Terms and then click Next.

Click Next to accept the default installation folder.

Click Install. After that’s done, click Finish.

Configure AD FS 2.0

The time has arrived to configure Active Directory Federation Services 2.0:

Logon to the Domain Controller where AD FS 2.0 is installed using an account with Domain Admin privileges.

Launch AD FS 2.0 Management from Administrative Tools.

Click the AD FS 2.0 Federation Server Configuration Wizard link.

Select Create a new Federation Service, then click Next.

Select New federation server farm. Although there will only be one server at this stage, selecting this option provides the flexibility to add additional servers later for high availability and load balancing.

Click Browse, select the AD account to use as the AD FS 2.0 service account, and then click Next. Choose any account, but make sure its password is set to never expire.

Verify that the SSL certificate and Federation Service name match those created earlier

Click Next.

The wizard will display a list of the steps it will perform. Click Next to let the process complete.

Review the results and click Close to finish the wizard

Now, it’s better to be safe than sorry. To avoid problems, verify that the domain added earlier to Office 365 Admin Center — in other words, the domain to be federated — is marked active.

Convert Office 365 Domain into a Federated Domain

Now that AD FS 2.0 is configured and the other prerequisites are in place, it’s time to convert the domain added to Office 365 into a federated domain.

Logon to the Domain Controller where AD FS 2.0 is installed using an account with Domain Admin privileges.

Run the Windows Azure Active Directory Module for Windows PowerShell by right-clicking the icon and selecting Run As Administrator.

Enter: $cred = Get-Credential.

Enter the Microsoft Online Services ID you would use to sign in to Office 365 and click OK.

Enter the cmdlet Connect-MsolService -Credential $cred to connect to the Microsoft Online Service.

Enter Set-MsolADFSContext -Computer {FQDN of the AD FS 2.0 Computer} to tell the Microsoft Online Service the name of the local computer running ADFS 2.0. In this example the cmdlet is Set-MsolADFSContext –Computer Moody.awssol.com.

Enter Convert-MsolDomainToFederated -DomainName {Domain to be federated}.For this example, the cmdlet is Convert-MsolDomainToFederated –DomainName awssol.com

Check to make sure that all is as it should be by using the Get-MsolFederationProperty -DomainName {Office 365 Domain Name} cmdlet. No surprise, the cmdlet for this example is Get-MsolFederationProperty –DomainName awssol.com

Review the displayed settings to verify that federation was successful by checking for references to the sts certificate used for AD FS 2.0.

Office 365 and the domain name awssol.com are now federated. Next up is to synchronize Active Directory with Office 365, assign licenses to select users, and test everything for proper operation. All this, along with a few extra tips for success, will be covered in the final article of this series. Until then, sit back, relax, and enjoy some of the other great articles here on Petri.co.il!

MEMBER LOGIN:

BECOME A PETRI MEMBER:

About the Contributor

During his 20+ years in the IT industry, John has enjoyed the opportunity to work as a consultant, architect, executive, speaker, and author. He’s been involved in multi-national networking, messaging, and communications projects as well as finding solutions for small mom and pop shops allowing them to use technology to increase business opportunity and decrease operational complexity.

John has authored material for both Thomson-Reuters’ Aspatore Books and Exec Blueprints publications. He regularly contributes technology articles to the Petri.co.il online community in addition to developing exciting training courses for the best IT training company in the world, TrainSignal.

John often speaks at IT events around the nation. Recently he has been a featured presenter on innovative technology solutions for the enterprise at conferences such as TechMentor, Live!360, the NEOSA CIO Summit, and the Northeast Ohio Technology Summit. When he’s not presenting at a conference, John can often be found leading informative webinars.

John is proud to be the North East Ohio Software Association’s CIO of the Year Award recipient in 2012.